Vulnerable MikroTik routers being used to spread Coinhive miner
Vulnerable MikroTik routers being used to spread Coinhive miner

A security researcher has found that tens of thousands of unpatched MikroTik routers are serving up webpages containing a Coinhive miner.  

Simon Kenin, a researcher with Trustwave's Spiderlab, came across a large spike in Coinhive mining in Brazil on July 31 and upon further investigation found a common issue. In each case, MikroTik routers, which are used by internet providers and enterprises, were in use at some point in the affected system. About 70,000 routers in Brazil were found being used in this manner and Kenin believes the problem now could be spreading outside that country possibly doubling the number involved.

A deeper dive into the problem found a malicious group was exploiting a vulnerability found in the routers that was dutifully patched by the company in April, however, the attackers were targeting routers that had gone unpatched by their owners.

“The exploit targets Winbox and allows the attacker to read files from the device. You can read the details in the dissection above, but the bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router,” Kenin wrote.

What was particularly tricky in this case was the attackers did not simply download a Coinhive mining executable onto the router, but instead injected the Coinhive script into every web page that the person visited using the unpatched router. Because this was affecting so many web pages it brought unwanted attention to the scheme so at one point the miner was altered to only appear on error pages served through the exploited routers.

To accomplish this task the threat actor created a custom error page containing the Coinhive script. So, every time the user receives an error page while wandering around the internet they are actually served this custom error page which will go to work mining cryptocurrency.

A backdoor is also included in the malicious code which enables the attacker to go in and make changes to the script, Kenin said, adding most of the changes noted so far are designed to clean up the code to give it a smaller footprint.

Kenin said using enterprise-level servers instead of attempting to infect end users or small websites was a stroke of genius by the attackers.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” he said,” adding, “Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we're still talking about potentially millions of daily pages for the attacker.”

Once again this entire situation can be avoided if IT managers simply keep up to date on their patch management.

“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible, this attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale,” he said.